German Cyber Agency Chides Yahoo for Not Helping Hacking Probe

Germany’s federal cyber agency said on Thursday that Yahoo Inc had not cooperated with its investigation into a series of hacks that compromised more than one billion of the US company’s email users between 2013 and 2016.

Yahoo’s Dublin-based Europe, Middle East and Africa unit “refused to give the BSI any information and referred all questions to the Irish Data Protection Commission, without, however, giving it the authority to provide information to the BSI,” Germany’s BSI computer security agency said.

A BSI spokesman said it decided to go public after Yahoo repeatedly failed to respond to efforts to look into the data breaches and garner lessons to prevent similar lapses. BSI also urged internationally active Internet service providers to work more closely with it when German customers were affected by cyber-attacks and other computer security issues.

Yahoo declined to comment when contacted by Reuters, while Ireland’s data protection agency was not immediately available.

The BSI’s statement comes at a time of heightened German government concerns about Russian meddling in national elections in September, after cyber-attacks on the French and US presidential elections which have been linked to Russia.

The US Justice Department in March charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, marking the first time the US government had criminally charged Russian spies for cyber offences., while US officials have charged Russian intelligence agents with involvement in at least one of the hacks that affected Yahoo.

Moscow has denied any involvement in hacking.

The BSI said it did not yet have any concrete information about the data breaches because of Yahoo’s lack of cooperation.

“Users should therefore be very careful about which services they want to use in the future and to whom they entrust their data,” BSI President Arne Schoenbohm said in a statement.

The BSI chief reiterated his recommendation that German consumers consider switching to other email service providers, adding that certifications such as those offered with C5-class cloud service security were valuable for customers.

C5 is a German government scheme to encourage cloud-based Internet service providers to attest they use various safeguards against cyber-attacks.

Late last year Yahoo, which has agreed to be acquired by US telecoms giant Verizon and is set to be merged with AOL to form a new business known as Oath, revealed a data breach dating back to 2013 of one billion user accounts.

The various disclosures led Verizon to cut the amount it was willing to pay for Yahoo by $350 million on its previously agreed $4.83 billion deal. Yahoo has said it expects the merger into Verizon to close in June.

BSI said an additional 32 million Yahoo users were affected by cyber breaches in 2015 and 2016. A spokesman for the agency said he was unaware of any additional breaches in 2017.